---------- Forwarded message ---------- Date: Sun, 11 Oct 1998 15:17:41 -0400 From: Richard M. Smith <rmsat_private> To: NTBUGTRAQat_private Subject: The Cuartango Security Hole in IE4 Hello, Juan Carlos G. Cuartango of Spain has discovered an extremely serious security hole in Internet Explorer 4. With a small amount of JavaScript code on a Web page, a Web site operator can steal any file from a user's hard disk and automatically uploaded the contents to a Web server. More worrisome is that fact that the security hole can be also exploited in an HTML-based Email message in Outlook Express. Simply by reading a booby-trapped Email message, private files can be stolen from one's hard disk. Most computer users, I suspect, will consider this unacceptable product defect. Details of the security hole were posted late last week at Mr. Cuartango Web site: http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html The Web site also contains a demo of the security problem. The demo is based on a standard file uploader HTML form. Normally only the user can manullay set the name of the file to uploaded but IE4 inadvertently allows JavaScript to execute cut and paste functions to set the file name. After the file name is set, JavaScript auto-submits the form to upload the file. I've tested the demo on three different systems and it worked on two of them. The one system in which the demo failed was running the original release of IE4 which came out September of last year. The two systems in which the demo worked on were running IE 4.01 which started shipping earlier this year. The demo appears to work both on Windows 95 and Windows 98. It should also work on Windows NT, but I haven't had time to test it. The bug is also reported to be present in the preview version of IE5. According to Juan Carlos's Web site, Microsoft has confirmed the bug and is looking now how to fix it. Richard M. Smith rmsat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:09 PDT